Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
I'm using OpenID Connect for a site that uses Google as the provider, but needs to restrict users to certain domains. For this and other purposes, It would be useful to allow modules to block Drupal login or perform other actions after the user has been authorized by the provider but before they've been logged into Drupal. I suggest an openid_connect_pre_login hook similar to the existing openid_connect_post_authorize hook. I've got a version of this working on my site. I'll generate a patch file and upload it shortly.
Comment | File | Size | Author |
---|---|---|---|
#5 | add_pre_login_hook-2559543-5.patch | 2.59 KB | illeace |
#2 | add_pre_login_hook-2559543-2.patch | 2.4 KB | illeace |
Comments
Comment #2
illeace CreditAttribution: illeace at Clarity Innovations, Inc. commentedHere's the promised patch file.
Comment #3
othermachines CreditAttribution: othermachines commentedComment #4
othermachines CreditAttribution: othermachines commentedI think this is a great feature. Patch applies cleanly and works as advertised.
A couple of comments:
- Do you think
$account
should also be passed in as an argument? Whether the account exists may be useful info in some circumstances. (Although I can't think of any off the top of my head.)- In the API example, can we use a value we know will exist, like
$userinfo['email']
? I was a little confused by what$userinfo['hd']
was supposed to be.Thanks a lot for this!
Comment #5
illeace CreditAttribution: illeace at Clarity Innovations, Inc. commentedBoth suggestions seem reasonable to me. The revised patch now passes $account as a parameter to the hook, and I've update the example in the API file to be a little more generic.
Comment #6
othermachines CreditAttribution: othermachines commentedPatch applies. I further tested it by implementing a hook with the example code and it all checks out.
Great work. I would love to see this committed!
Comment #7
othermachines CreditAttribution: othermachines commented@illeace I came across an issue unrelated to your patch while testing: #2590875: Missing $userinfo check results in account being created with no user information. A side effect of this problem when your patch is applied is that
$userinfo['email']
is empty in your watchdog message:If you have time to pop over there and test the other patch it would be much appreciated.
Comment #8
Aron NovakI did a review and tested the patch, it's especially helpful if you'd like to perform an additional validation before login, for instance against the organization inside GitHub for the user trying to login. The patch worked without any issues, however comment https://www.drupal.org/node/2559543#comment-10446399 is still valid, but it's outside of the scope here.
Comment #9
ayduns CreditAttribution: ayduns commentedAlso tested this with a custom module implementing the hook to check the email domain. Works well. My testing did not trigger the issues reported with empty
$userinfo['email']
- the watchdog messages contained the user email. Would be great to get this committed.Comment #10
hugovk CreditAttribution: hugovk at Digia commentedComment #11
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedThanks!
Comment #13
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedFor consistency with the D8 version, the hook is now called
hook_openid_connect_pre_authorize
. Those using this patch will need to rename their existing hook functions. That was the only change I did.Comment #14
jcnventura CreditAttribution: jcnventura at 1xINTERNET commented